← Back to ATT&CK index
T1070
Indicator Removal
View on attack.mitre.org →6 syscalls implement this technique
- NtFreeUserPhysicalPages
Releases physical pages previously allocated via NtAllocateUserPhysicalPages, returning them to the system page pool.
- NtSetInformationJobObject
Sets a policy or limit on a job object via one of the JOBOBJECTINFOCLASS information classes.
- NtUnloadKey
Detaches a previously-loaded registry hive from the configuration manager.
- NtMakeTemporaryObject
Clears the OBJ_PERMANENT attribute so the kernel object is freed once its last handle closes.
- NtDeleteAtom
Decrements the reference count of a global atom and removes it when the count reaches zero.
- NtUnloadDriver
Unloads a previously loaded kernel-mode driver — the BYOVD cleanup primitive.